In recent developments, ESET security researchers have found a new malware being deployed by the Lazarus hacker group named ‘Vyveva’
The ESET research:
The malware Vyveva is a malicious backdoor that the Lazarus hacker group implemented to deliver targeted attacks.
The ESET research analyzing the Vyveva backdoor has detected vigorous similarities between the malware and the Lazarus hacker group.
Even though the foundational operations and methods of the backdoor are yet to be discovered, coding parallels to the older Lazarus malware family Manuscrypt/NukeSped and Vyveva have been identified.
The Lazarus APT group:
To the unaware, the Lazarus hacker group is a North Korean state-sponsored hacker group.
Lazarus is seemingly the same hacker group that was behind the globally deployed WannaCry ransomware back in 2017, an $80 million Bangladeshi bank heist, attacks against South Korean supply chains, cryptocurrency theft, the 2014 Sony hack, and various other assaults against US organizations.
And now, the latest modus operandi being utilized by the Lazarus hacker group is the Vyveva that actively was attacking a South African freight and logistics firm.
Malicious abilities of Vyveva backdoor:
Vyveva backdoor was reportedly first spotted back in June 2020 but is speculated to be active since 2018.
Describing the malicious abilities of the backdoor, it can plausibly connect to a command-and-control i.e C2 server remotely to run code arbitrarily, exfiltrate sensitive data, as well as hoard information acquired from the infected systems.
Vyveva also uses phony TLS connections for network communication, a component for connecting to its C2 via the Tor network, and command-line execution chains employed as a trait by the Lazarus hacker group.
Among its other mal-abilities, there is also a “timestamping” feature of Vyveva that facilitates timestamp creation/write/access times to be copied from a ‘donor’ file.
It also has the capability to select only specific types of files such as Microsoft Office files and discard other extensions while copying and poaching information.
“These components can trigger a connection to the C2 server outside the regular, preconfigured three-minute interval, and on new drive and session events,” determined the ESET.
ESET strong attributions:
The researchers have affirmed that the backdoor’s codebase has facilitated them to characterize Vyveva to Lazarus with “high confidence”.